Skillv1.0.0

ClawScan security

Editor Pc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 3:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (remote AI video editing) mostly matches its runtime instructions and required token, but there are small inconsistencies and privacy risks (unknown source, implicit config-path access, and no homepage) that warrant caution.
Guidance: This skill appears to be a front-end for a remote video-editing service and needs a NEMO_TOKEN to operate; that is reasonable. However: (1) the skill originates from an unknown source with no homepage — you can't easily verify the provider. (2) The instructions will upload your video files to an external API (mega-api-prod.nemovideo.ai) — do not upload sensitive or private footage unless you trust that service and its privacy policy. (3) The SKILL.md mentions a local config path (~/.config/nemovideo/) and auto-detecting an install path for header attribution; clarify whether the agent will read or write files in your home directory before installing. (4) If you don't want to expose a long-lived token, use the anonymous token flow but note those tokens have expiry/credits; ask whether tokens are stored persistently. Before installing: verify the service domain and privacy policy (or avoid installing if you cannot verify the vendor), confirm exactly what local files (if any) the skill will access, and prefer using ephemeral anonymous tokens if you must test it.

Review Dimensions

Purpose & Capability: noteThe skill claims to perform cloud video editing and requires a NEMO_TOKEN — that is coherent. However, the frontmatter in SKILL.md lists a config path (~/.config/nemovideo/) while the registry metadata reported no required config paths; this mismatch is unexplained. Also the skill's source/homepage are unknown, reducing ability to verify the service.
Instruction Scope: noteSKILL.md instructs the agent to call a remote API (mega-api-prod.nemovideo.ai), create sessions, upload video files, stream SSE responses, poll render status, and (if no env token) obtain an anonymous token via an API call. Those actions are consistent with remote video editing. It does request auto-detection of an install path to set an X-Skill-Platform header and references a local config path — which may require reading local filesystem state (install path or ~/.config) beyond strictly sending the user-provided video. The instructions do not ask for unrelated secrets, but do direct uploading user files to an external service.
Install Mechanism: okNo install spec and no code files — instruction-only. This is the lowest install risk (nothing is downloaded or written by an installer).
Credentials: noteOnly a single credential is declared (NEMO_TOKEN), which fits a cloud API integration. However, SKILL.md's frontmatter includes a config path (~/.config/nemovideo/) which implies possible local config read/write not declared in the registry. The skill also instructs generating an anonymous token via API if no env var exists; consider whether that token will be stored persistently.
Persistence & Privilege: okalways:false and normal autonomous invocation. The skill does not request elevated or cross-skill privileges. It does create and use session IDs for render jobs, which is expected for the service.